java source code of TPMAttestationStatementValidator

Project: webauthn4j (GitHub Link)

webauthn4j-master
- .github
  - ISSUE_TEMPLATE
    - feature_request.md
    - bug_report.md
  - stale.yml
  - dependabot.yml
  - workflows
    - ci.yml
    - pr-gate-ci.yml
    - snapshot-release.yml
    - release.yml
- owasp
  - suppression.xml
- gradle.properties
- gradle
  - wrapper
    - gradle-wrapper.properties
  - lib
- webauthn4j-metadata
  - src
    - main
      - resources
        metadata
        certs
        FIDOMetadataService.cer
      - java
        com
        webauthn4j
        metadata
        HttpClient.java
        MetadataItemsResolver.java
        MetadataItemsResolverImpl.java
        validator
        MetadataItemValidator.java
        MetadataStatementValidator.java
        FidoMdsMetadataItemsProvider.java
        FidoMdsMetadataValidator.java
        exception
        MDSException.java
        BadStatusException.java
        UnknownProtocolFamilyException.java
        MetadataItemsProvider.java
        data
        toc
        BiometricStatusReport.java
        MetadataTOCPayloadEntry.java
        AuthenticatorStatus.java
        StatusReport.java
        MetadataTOCPayload.java
        uaf
        AAID.java
        MetadataItemImpl.java
        MetadataItem.java
        statement
        AttestationType.java
        MatcherProtection.java
        KeyProtection.java
        VerificationMethodDescriptor.java
        AttachmentHint.java
        UserVerificationMethod.java
        AuthenticationAlgorithm.java
        VerificationMethodANDCombinations.java
        ExtensionDescriptor.java
        AlternativeDescriptions.java
        BiometricAccuracyDescriptor.java
        PatternAccuracyDescriptor.java
        TransactionConfirmationDisplays.java
        DisplayPNGCharacteristicsDescriptor.java
        KeyProtections.java
        Version.java
        CodeAccuracyDescriptor.java
        MetadataStatement.java
        AttachmentHints.java
        PublicKeyRepresentationFormat.java
        MatcherProtections.java
        RGBPaletteEntry.java
        EcdaaTrustAnchor.java
        TransactionConfirmationDisplay.java
        AggregatingMetadataItemsProvider.java
        AggregatingMetadataStatementsProvider.java
        MetadataStatementsTrustAnchorsProvider.java
        converter
        jackson
        WebAuthnMetadataJSONModule.java
        deserializer
        KeyProtectionsDeserializer.java
        AttachmentHintsDeserializer.java
        MatcherProtectionsDeserializer.java
        TransactionConfirmationDisplaysDeserializer.java
        serializer
        KeyProtectionsSerializer.java
        AttachmentHintsSerializer.java
        MatcherProtectionsSerializer.java
        TransactionConfirmationDisplaysSerializer.java
        JsonFileMetadataStatementsProvider.java
        MetadataItemsMetadataStatementsProvider.java
        SimpleHttpClient.java
        MetadataStatementsProvider.java
    - test
      - resources
        com
        webauthn4j
        metadata
        JsonMetadataItem_unknown_protocol.json
        JsonMetadataItem_fido2.json
        JsonMetadataItem_uaf.json
        JsonMetadataItem_u2f.json
      - java
        com
        webauthn4j
        metadata
        JsonFileMetadataStatementsProviderTest.java
        AggregatingMetadataStatementsProviderTest.java
        FidoMdsMetadataValidatorTest.java
        FidoMdsMetadataItemsProviderTest.java
        MetadataStatementsTrustAnchorsProviderTest.java
        data
        toc
        AuthenticatorStatusTest.java
        uaf
        AAIDTest.java
        statement
        MetadataStatementTest.java
        KeyProtectionTest.java
        MatcherProtectionTest.java
        AlternativeDescriptionsTest.java
        TransactionConfirmationDisplayTest.java
        AuthenticationAlgorithmTest.java
        PublicKeyRepresentationFormatTest.java
        UserVerificationMethodTest.java
        AttachmentHintTest.java
        AttestationTypeTest.java
        MetadataItemsProviderTest.java
  - build.gradle
- .travis
  - travis_wait
- gradlew.bat
- webauthn4j-util
  - src
    - main
      - java
        com
        webauthn4j
        util
        UUIDUtil.java
        ConstUtil.java
        MACUtil.java
        ArrayUtil.java
        HKDFUtil.java
        MessageDigestUtil.java
        Base64UrlUtil.java
        HexUtil.java
        RSAUtil.java
        exception
        NotImplementedException.java
        UnexpectedCheckedException.java
        WebAuthnException.java
        ECUtil.java
        Base64Util.java
        package-info.java
        CertificateUtil.java
        WIP.java
        SignatureUtil.java
        CollectionUtil.java
        UnsignedNumberUtil.java
        AssertUtil.java
    - test
      - java
        com
        webauthn4j
        util
        HKDFUtilTest.java
        UnsignedNumberUtilTest.java
        ECUtilTest.java
        MessageDigestUtilTest.java
        AssertUtilTest.java
        exception
        UnexpectedCheckedExceptionTest.java
        NotImplementedExceptionTest.java
        Base64UrlUtilTest.java
        CertificateUtilTest.java
        UUIDUtilTest.java
        Base64UtilTest.java
        SignatureUtilTest.java
  - build.gradle
- gradlew
- build.gradle
- helper.gradle
- webauthn4j-test
  - src
    - main
      - resources
        attestation
        3tier
        db
        index.attr
        index
        index.attr.old
        crlnumber.old
        index.old
        serial
        serial.old
        crlnumber
        csr
        3tier-test-intermediate-CA.csr
        3tier-test-root-CA.csr
        3tier-test-authenticator.csr
        jks
        3tier-test.jks
        crl
        3tier-test-intermediate-CA.crl
        3tier-test-root-CA.crl
        certs
        0D187EA99B292C3E80AA5580D49C888C.pem
        3tier-test-intermediate-CA.crt
        0D187EA99B292C3E80AA5580D49C888F.pem
        3tier-test-authenticator.crt
        F0B1F231184E4A87E115AA8EB37ABB6E.pem
        0D187EA99B292C3E80AA5580D49C888E.pem
        0D187EA99B292C3E80AA5580D49C888D.pem
        0D187EA99B292C3E80AA5580D49C888A.pem
        3tier-test-root-CA.crt
        0D187EA99B292C3E80AA5580D49C888B.pem
        private
        3tier-test-authenticator.der
        3tier-test-intermediate-CA.der
        3tier-test-root-CA.der
        3tier-test-intermediate-CA.key
        3tier-test-authenticator.key
        3tier-test-root-CA.key
        conf
        3tier-test-intermediate-CA.conf
        3tier-test-root-CA.conf
        2tier
        db
        index.attr
        index
        index.attr.old
        crlnumber.old
        index.old
        serial
        serial.old
        crlnumber
        csr
        2tier-test-authenticator.csr
        2tier-test-root-CA.csr
        crl
        2tier-test-root-CA.crl
        certs
        20F763C04183B10537DBE8506A2250F2.pem
        2tier-test-authenticator.crt
        20F763C04183B10537DBE8506A2250ED.pem
        20F763C04183B10537DBE8506A2250F1.pem
        20F763C04183B10537DBE8506A2250F0.pem
        2tier-test-root-CA.crt
        20F763C04183B10537DBE8506A2250EF.pem
        20F763C04183B10537DBE8506A2250EE.pem
        private
        2tier-test-authenticator.key
        2tier-test-authenticator.der
        2tier-test-root-CA.key
        2tier-test-root-CA.der
        conf
        2tier-test-root-CA.conf
      - java
        com
        webauthn4j
        test
        TestConstants.java
        AttestationCertificateBuilder.java
        client
        AuthenticationEmulationOption.java
        U2FAttestationOption.java
        NoAuthenticatorSuccessException.java
        RegistrationEmulationOption.java
        ClientPlatform.java
        CACertificatePath.java
        EmulatorUtil.java
        CipherUtil.java
        TestAttestationUtil.java
        TestAttestationStatementUtil.java
        authenticator
        u2f
        FIDOU2FAuthenticatorAdaptor.java
        AuthenticationRequest.java
        RegistrationRequest.java
        exception
        FIDOU2FException.java
        AuthenticationResponse.java
        FIDOU2FAuthenticator.java
        RegistrationResponse.java
        webauthn
        AndroidKeyAuthenticator.java
        AndroidSafetyNetAuthenticator.java
        GetAssertionResponse.java
        TPMAttestationOption.java
        PublicKeyCredentialSource.java
        AndroidSafetyNetAttestationOption.java
        AndroidKeyAttestationOption.java
        MakeCredentialRequest.java
        AttestationOption.java
        WebAuthnModelAuthenticator.java
        exception
        InvalidStateException.java
        NotAllowedException.java
        ConstraintException.java
        WebAuthnModelException.java
        NotSupportedException.java
        WebAuthnAuthenticator.java
        GetAssertionRequest.java
        PackedAttestationOption.java
        PackedAuthenticator.java
        WebAuthnAuthenticatorAdaptor.java
        AttestationStatementRequest.java
        MakeCredentialResponse.java
        TPMAuthenticator.java
        CredentialMapKey.java
        CredentialRequestResponse.java
        AuthenticatorAdaptor.java
        CredentialCreationResponse.java
        TestDataUtil.java
    - test
      - java
        com
        webauthn4j
        test
        TestAttestationUtilTest.java
        authenticator
        webauthn
        TPMAuthenticatorTest.java
  - build.gradle
- .travis.yml
- README.md
- settings.gradle
- .gitignore
- docs
  - src
    - reference
      - asciidoc
        en
        deep-dive.adoc
        introduction.adoc
        quick-start.adoc
        configuration.adoc
        image
        logo
        high-res
        original
        logo.jpg
        logo-only
        high-res
        original
        logo.jpg
        index.adoc
        known-issues.adoc
        index-docinfo.xml
        ja
        design-note.adoc
        webauthn-in-a-nutshell.adoc
        deep-dive.adoc
        introduction.adoc
        quick-start.adoc
        configuration.adoc
        index.adoc
        known-issues.adoc
  - internal
    - release-procedure.md
  - image
- LICENSE.txt
- webauthn4j-core
  - src
    - main
      - java
        com
        webauthn4j
        WebAuthnManager.java
        validator
        TokenBindingValidator.java
        AttestationValidator.java
        AssertionSignatureValidator.java
        BeanAssertUtil.java
        ChallengeValidator.java
        AuthenticationDataValidator.java
        CustomRegistrationValidator.java
        RpIdHashValidator.java
        AuthenticationObject.java
        exception
        TokenBindingException.java
        UnexpectedExtensionException.java
        BadChallengeException.java
        BadRpIdException.java
        PublicKeyMismatchException.java
        KeyDescriptionValidationException.java
        UserNotVerifiedException.java
        CertificateException.java
        InconsistentClientDataTypeException.java
        BadAaguidException.java
        UserNotPresentException.java
        BadAlgorithmException.java
        BadSignatureException.java
        MissingChallengeException.java
        ConstraintViolationException.java
        package-info.java
        ValidationException.java
        BadOriginException.java
        MaliciousCounterValueException.java
        TrustAnchorNotFoundException.java
        BadAttestationStatementException.java
        SelfAttestationProhibitedException.java
        CustomAuthenticationValidator.java
        ExtensionValidator.java
        package-info.java
        RegistrationObject.java
        MaliciousCounterValueHandler.java
        attestation
        trustworthiness
        self
        DefaultSelfAttestationTrustworthinessValidator.java
        NullSelfAttestationTrustworthinessValidator.java
        SelfAttestationTrustworthinessValidator.java
        package-info.java
        certpath
        TrustAnchorCertPathTrustworthinessValidator.java
        NullCertPathTrustworthinessValidator.java
        CertPathTrustworthinessValidatorBase.java
        CertPathTrustworthinessValidator.java
        package-info.java
        statement
        AbstractStatementValidator.java
        u2f
        FIDOU2FAttestationStatementValidator.java
        NullFIDOU2FAttestationStatementValidator.java
        androidsafetynet
        GooglePlayServiceVersionValidator.java
        NullAndroidSafetyNetAttestationStatementValidator.java
        AndroidSafetyNetAttestationStatementValidator.java
        androidkey
        NullAndroidKeyAttestationStatementValidator.java
        AndroidKeyAttestationStatementValidator.java
        KeyDescriptionValidator.java
        AttestationStatementValidator.java
        none
        NoneAttestationStatementValidator.java
        tpm
        NullTPMDevicePropertyValidator.java
        TPMAttestationStatementValidator.java
        NullTPMAttestationStatementValidator.java
        TPMDeviceProperty.java
        TPMDevicePropertyValidator.java
        package-info.java
        packed
        PackedAttestationStatementValidator.java
        NullPackedAttestationStatementValidator.java
        RegistrationDataValidator.java
        DefaultMaliciousCounterValueHandler.java
        OriginValidator.java
        anchor
        TrustAnchorsProvider.java
        CertFileTrustAnchorsProvider.java
        KeyStoreFileTrustAnchorsProvider.java
        TrustAnchorsResolverImpl.java
        CachingTrustAnchorsProviderBase.java
        KeyStoreException.java
        TrustAnchorsResolver.java
        KeyStoreTrustAnchorsProvider.java
        WebAuthnRegistrationManager.java
        package-info.java
        WebAuthnAuthenticationManager.java
        data
        AuthenticatorAttachment.java
        AuthenticatorAttestationResponse.java
        RegistrationData.java
        PublicKeyCredentialParameters.java
        AttestationConveyancePreference.java
        PublicKeyCredentialDescriptor.java
        jws
        JWAIdentifier.java
        JWSFactory.java
        JWS.java
        JWSSignatureUtil.java
        JWSHeader.java
        JWSException.java
        AuthenticatorTransport.java
        client
        ClientDataType.java
        TokenBinding.java
        challenge
        Challenge.java
        DefaultChallenge.java
        Origin.java
        CollectedClientData.java
        TokenBindingStatus.java
        AbstractImmutableMap.java
        AuthenticationRequest.java
        PublicKeyCredentialUserEntity.java
        extension
        ExtensionInput.java
        client
        UnknownExtensionClientInput.java
        AuthenticationExtensionClientInput.java
        AuthenticationExtensionsClientInputs.java
        UnknownExtensionClientOutput.java
        FIDOAppIDExtensionClientOutput.java
        AuthenticationExtensionsClientOutputs.java
        ExtensionClientInput.java
        CredentialPropertiesExtensionClientInput.java
        CredentialPropertiesExtensionClientOutput.java
        FIDOAppIDExtensionClientInput.java
        AuthenticationExtensionClientOutput.java
        RegistrationExtensionClientInput.java
        RegistrationExtensionClientOutput.java
        ExtensionClientOutput.java
        AbstractExtensionOutput.java
        AbstractExtensionInput.java
        authenticator
        AuthenticationExtensionsAuthenticatorOutputs.java
        AuthenticationExtensionsAuthenticatorInputs.java
        ExtensionAuthenticatorInput.java
        RegistrationExtensionAuthenticatorInput.java
        AuthenticationExtensionAuthenticatorInput.java
        AuthenticationExtensionAuthenticatorOutput.java
        RegistrationExtensionAuthenticatorOutput.java
        ExtensionAuthenticatorOutput.java
        UnknownExtensionAuthenticatorOutput.java
        ExtensionOutput.java
        RegistrationRequest.java
        AuthenticationParameters.java
        x500
        Attributes.java
        X500Name.java
        AuthenticatorSelectionCriteria.java
        PublicKeyCredentialCreationOptions.java
        AuthenticationData.java
        PublicKeyCredentialType.java
        attestation
        AttestationObject.java
        authenticator
        AbstractCOSEKey.java
        AttestedCredentialData.java
        COSEKey.java
        AAGUID.java
        RSACOSEKey.java
        AuthenticatorData.java
        Curve.java
        EC2COSEKey.java
        statement
        AttestationType.java
        TPMSECCParms.java
        PackedAttestationStatement.java
        TPMIAlgPublic.java
        TPMUtil.java
        AttestationCertificate.java
        TPMAttestationStatement.java
        TPMISTAttest.java
        TPMUAttest.java
        FIDOU2FAttestationStatement.java
        TPMTPublic.java
        AndroidSafetyNetAttestationStatement.java
        CertificateBaseAttestationStatement.java
        TPMEccCurve.java
        TPMAObject.java
        COSEKeyOperation.java
        AndroidKeyAttestationStatement.java
        Response.java
        ECCUnique.java
        NoneAttestationStatement.java
        TPMUPublicParms.java
        RSAUnique.java
        TPMUPublicId.java
        AttestationStatement.java
        TPMSClockInfo.java
        TPMSRSAParms.java
        AttestationCertificatePath.java
        TPMSCertifyInfo.java
        TPMTHA.java
        TPMSAttest.java
        TPMIAlgHash.java
        COSEKeyType.java
        SignatureAlgorithm.java
        COSEAlgorithmIdentifier.java
        TPMGenerated.java
        AuthenticatorResponse.java
        PublicKeyCredential.java
        PublicKeyCredentialRpEntity.java
        ResidentKeyRequirement.java
        PublicKeyCredentialEntity.java
        AuthenticatorAssertionResponse.java
        AbstractWebAuthnContext.java
        RegistrationParameters.java
        PublicKeyCredentialRequestOptions.java
        UserVerificationRequirement.java
        converter
        AttestationObjectConverter.java
        AuthenticationExtensionsClientInputsConverter.java
        jackson
        deserializer
        CertPathDeserializer.java
        ExtensionAuthenticatorOutputDeserializer.java
        AttestedCredentialDataDeserializer.java
        ChallengeDeserializer.java
        ExtensionClientInputDeserializer.java
        AuthenticationExtensionClientInputDeserializer.java
        JWSDeserializer.java
        X509CertificateDeserializer.java
        AuthenticatorDataDeserializer.java
        UnknownExtensionAuthenticatorOutputDeserializer.java
        UnknownExtensionClientInputDeserializer.java
        RegistrationExtensionClientInputDeserializer.java
        ExtensionClientOutputDeserializer.java
        COSEKeyEnvelopeDeserializer.java
        AuthenticationExtensionsAuthenticatorOutputsEnvelopeDeserializer.java
        AAGUIDDeserializer.java
        UnknownExtensionClientOutputDeserializer.java
        TPMTPublicDeserializer.java
        AuthenticationExtensionsAuthenticatorOutputsEnvelope.java
        TPMSAttestDeserializer.java
        COSEKeyEnvelope.java
        package-info.java
        WebAuthnJSONModule.java
        JacksonUtil.java
        WebAuthnCBORModule.java
        serializer
        RSACOSEKeySerializer.java
        AAGUIDSerializer.java
        AuthenticatorDataSerializer.java
        X509CertificateSerializer.java
        JWSSerializer.java
        TPMTPublicSerializer.java
        EC2COSEKeySerializer.java
        TPMSAttestSerializer.java
        AbstractCtapCanonicalCborSerializer.java
        ChallengeSerializer.java
        AttestedCredentialDataSerializer.java
        OriginSerializer.java
        CertPathSerializer.java
        AttestedCredentialDataConverter.java
        CollectedClientDataConverter.java
        util
        JsonConverter.java
        CborConverter.java
        ObjectConverter.java
        exception
        DataConversionException.java
        package-info.java
        AuthenticationExtensionsClientOutputsConverter.java
        AuthenticatorDataConverter.java
        AuthenticatorTransportConverter.java
        server
        ServerProperty.java
        authenticator
        Authenticator.java
        AuthenticatorImpl.java
    - test
      - resources
        attestation
        google
        google-root-CA.crt
        com
        webauthn4j
        anchor
        CertFileTrustAnchorsProviderTest
        test.crt
        KeyStoreFileTrustAnchorsProviderTest
        test.jks
      - java
        sample
        WebAuthnRegistrationContextValidatorSample.java
        WebAuthnManagerSample.java
        integration
        component
        NullAttestationStatementValidatorTest.java
        scenario
        FIDOU2FAuthenticatorRegistrationValidationTest.java
        TPMAuthenticatorRegistrationValidationTest.java
        FIDOU2FAuthenticatorAuthenticationValidationTest.java
        UserVerifyingAuthenticatorRegistrationValidationTest.java
        CustomAuthenticationValidationTest.java
        CustomRegistrationValidationTest.java
        AndroidSafetyNetAuthenticatorRegistrationValidationTest.java
        UserVerifyingAuthenticatorAuthenticationValidationTest.java
        AndroidKeyAuthenticatorRegistrationValidationTest.java
        test
        TestExtensionAuthenticatorOutput.java
        com
        webauthn4j
        WebAuthnRegistrationManagerTest.java
        validator
        AuthenticationDataValidatorTest.java
        RegistrationDataValidatorTest.java
        ChallengeValidatorTest.java
        OriginValidatorTest.java
        RegistrationObjectTest.java
        AttestationValidatorTest.java
        DefaultMaliciousCounterValueHandlerTest.java
        TokenBindingValidatorTest.java
        exception
        BadRpIdExceptionTest.java
        PublicKeyMismatchExceptionTest.java
        ConstraintViolationExceptionTest.java
        BadChallengeExceptionTest.java
        BadSignatureExceptionTest.java
        KeyDescriptionValidationExceptionTest.java
        MaliciousCounterValueExceptionTest.java
        UserNotVerifiedExceptionTest.java
        SelfAttestationProhibitedExceptionTest.java
        InconsistentClientDataTypeExceptionTest.java
        BadAaguidExceptionTest.java
        CertificateExceptionTest.java
        UserNotPresentExceptionTest.java
        KeyStoreExceptionTest.java
        BadAttestationStatementExceptionTest.java
        BadOriginExceptionTest.java
        BadAlgorithmExceptionTest.java
        MissingChallengeExceptionTest.java
        UnexpectedExtensionExceptionTest.java
        TokenBindingExceptionTest.java
        TrustAnchorNotFoundExceptionTest.java
        BeanAssertUtilTest.java
        CustomAuthenticationValidatorTest.java
        RpIdHashValidatorTest.java
        attestation
        trustworthiness
        self
        DefaultSelfAttestationTrustworthinessValidatorTest.java
        NullSelfAttestationTrustworthinessValidatorTest.java
        certpath
        TrustAnchorCertPathTrustworthinessValidatorTest.java
        NullCertPathTrustworthinessValidatorTest.java
        statement
        u2f
        FIDOU2FAttestationStatementValidatorTest.java
        androidsafetynet
        AndroidSafetyNetAttestationStatementValidatorTest.java
        NullAndroidSafetyNetAttestationStatementValidatorTest.java
        androidkey
        KeyDescriptionValidatorTest.java
        AndroidKeyAttestationStatementValidatorTest.java
        NullAndroidKeyAttestationStatementValidatorTest.java
        none
        NoneAttestationStatementValidatorTest.java
        tpm
        NullTPMAttestationStatementValidatorTest.java
        TPMAttestationStatementValidatorTest.java
        TPMDevicePropertyTest.java
        AbstractStatementValidatorTest.java
        packed
        PackedAttestationStatementValidatorTest.java
        NullPackedAttestationStatementValidatorTest.java
        ExtensionValidatorTest.java
        AuthenticationObjectTest.java
        anchor
        KeyStoreFileTrustAnchorsProviderTest.java
        KeyStoreTrustAnchorsProviderTest.java
        CertFileTrustAnchorsProviderTest.java
        TrustAnchorsResolverImplTest.java
        SampleTrustAnchorsProvider.java
        WebAuthnAuthenticationManagerTest.java
        data
        PublicKeyCredentialUserEntityTest.java
        UserVerificationRequirementTest.java
        PublicKeyCredentialParametersTest.java
        TestDto.java
        AuthenticationParametersTest.java
        AuthenticatorAssertionResponseTest.java
        PublicKeyCredentialDescriptorTest.java
        RegistrationRequestTest.java
        ResidentKeyRequirementTest.java
        AuthenticatorAttachmentTest.java
        jws
        JWSTest.java
        JWSHeaderTest.java
        JWSFactoryTest.java
        JWSExceptionTest.java
        JWAIdentifierTest.java
        RegistrationDataTest.java
        PublicKeyCredentialCreationOptionsTest.java
        AuthenticatorTransportTest.java
        client
        challenge
        DefaultChallengeTest.java
        OriginTest.java
        TokenBindingTest.java
        CollectedClientDataTest.java
        ClientDataTypeTest.java
        TokenBindingStatusTest.java
        RegistrationParametersTest.java
        AuthenticatorSelectionCriteriaTest.java
        AuthenticatorAttestationResponseTest.java
        AuthenticationDataTest.java
        extension
        client
        FIDOAppIDExtensionClientOutputTest.java
        UnknownExtensionClientInputTest.java
        CredentialPropertiesExtensionClientInputTest.java
        UnknownExtensionClientOutputTest.java
        AuthenticationExtensionsClientOutputsTest.java
        CredentialPropertiesExtensionClientOutputTest.java
        authenticator
        UnknownExtensionAuthenticatorOutputTest.java
        PublicKeyCredentialRpEntityTest.java
        AuthenticationRequestTest.java
        AttestationConveyancePreferenceTest.java
        PublicKeyCredentialTest.java
        x500
        X500NameTest.java
        PublicKeyCredentialTypeTest.java
        attestation
        AttestationObjectTest.java
        authenticator
        AttestedCredentialDataTest.java
        ESSignatureAlgorithmTest.java
        CurveTest.java
        RSACOSEKeyTest.java
        AuthenticatorDataTest.java
        EC2COSEKeyTest.java
        AAGUIDTest.java
        statement
        AndroidSafetyNetAttestationStatementTest.java
        TPMAObjectTest.java
        FIDOU2FAttestationStatementTest.java
        SignatureAlgorithmTest.java
        AndroidKeyAttestationStatementTest.java
        TPMIAlgPublicTest.java
        TPMEccCurveTest.java
        AttestationCertificatePathTest.java
        TPMISTAttestTest.java
        TPMGeneratedTest.java
        PackedAttestationStatementTest.java
        COSEAlgorithmIdentifierTest.java
        COSEKeyTypeTest.java
        COSEKeyOperationTest.java
        TPMIAlgHashTest.java
        NoneAttestationStatementTest.java
        AttestationCertificateTest.java
        TPMAttestationStatementTest.java
        PublicKeyCredentialRequestOptionsTest.java
        converter
        AuthenticatorDataConverterTest.java
        AuthenticatorTransportConverterTest.java
        CollectedClientDataConverterTest.java
        AttestedCredentialDataConverterTest.java
        jackson
        deserializer
        ChallengeDeserializerTest.java
        UnknownExtensionClientOutputDeserializerTest.java
        AttestationObjectDeserializerTest.java
        AttestationStatementDeserializerTest.java
        X509CertificateDeserializerTest.java
        package-info.java
        ExtensionClientOutputDeserializerTest.java
        UnknownExtensionClientInputDeserializerTest.java
        TPMTPublicDeserializerTest.java
        X509CertificateDeserializerTestData.java
        UnknownExtensionAuthenticatorOutputDeserializerTest.java
        JacksonUtilTest.java
        serializer
        CertPathSerializerTest.java
        AuthenticatorDataSerializerTest.java
        package-info.java
        util
        ConverterTestDto.java
        JsonConverterIntegrationTest.java
        ObjectConverterTest.java
        ConverterTestInvalidDto.java
        JsonConverterTest.java
        exception
        DataConversionExceptionTest.java
        AttestationCertificatePathConverterTest.java
        AttestationObjectConverterTest.java
        AuthenticationExtensionsClientOutputsConverterTest.java
        AuthenticationExtensionsClientInputsConverterTest.java
        server
        ServerPropertyTest.java
        authenticator
        AuthenticatorTest.java
        AuthenticatorImplTest.java
        WebAuthnManagerTest.java
  - build.gradle
- github-release-notes-generator.yml

/*
 * Copyright 2018 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.webauthn4j.validator.attestation.statement.tpm;

import com.webauthn4j.data.attestation.authenticator.AAGUID;
import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
import com.webauthn4j.data.attestation.statement.*;
import com.webauthn4j.data.extension.authenticator.RegistrationExtensionAuthenticatorOutput;
import com.webauthn4j.data.x500.X500Name;
import com.webauthn4j.util.MessageDigestUtil;
import com.webauthn4j.util.SignatureUtil;
import com.webauthn4j.util.UnsignedNumberUtil;
import com.webauthn4j.validator.RegistrationObject;
import com.webauthn4j.validator.attestation.statement.AbstractStatementValidator;
import com.webauthn4j.validator.exception.BadAttestationStatementException;
import org.apache.kerby.asn1.type.Asn1Utf8String;
import org.apache.kerby.asn1.util.HexUtil;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.*;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.EllipticCurve;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;

public class TPMAttestationStatementValidator extends AbstractStatementValidator<TPMAttestationStatement> {

    private static final String ID_FIDO_GEN_CE_AAGUID = "1.3.6.1.4.1.45724.1.1.4";

    // ~ Instance fields
    // ================================================================================================

    private TPMDevicePropertyValidator tpmDevicePropertyValidator = new NullTPMDevicePropertyValidator();

    @Override
    public AttestationType validate(RegistrationObject registrationObject) {
        if (!supports(registrationObject)) {
            throw new IllegalArgumentException("Specified format is not supported by " + this.getClass().getName());
        }
        TPMAttestationStatement attestationStatement = (TPMAttestationStatement) registrationObject.getAttestationObject().getAttestationStatement();

        if (!attestationStatement.getVer().equals(TPMAttestationStatement.VERSION_2_0)) {
            throw new BadAttestationStatementException("TPM version is not supported.");
        }

        TPMSAttest certInfo = attestationStatement.getCertInfo();
        TPMTPublic pubArea = attestationStatement.getPubArea();
        AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData = registrationObject.getAttestationObject().getAuthenticatorData();

        /// Verify that the public key specified by the parameters and unique fields of pubArea is identical to the credentialPublicKey in the attestedCredentialData in authenticatorData.
        validatePublicKeyEquality(pubArea, authenticatorData);

        /// Concatenate authenticatorData and clientDataHash to form attToBeSigned.
        byte[] attToBeSigned = getAttToBeSigned(registrationObject);

        /// Validate that certInfo is valid:

        /// Verify that magic is set to TPM_GENERATED_VALUE.
        if (certInfo.getMagic() != TPMGenerated.TPM_GENERATED_VALUE) {
            throw new BadAttestationStatementException("magic must be TPM_GENERATED_VALUE");
        }

        /// Verify that type is set to TPM_ST_ATTEST_CERTIFY.
        if (certInfo.getType() != TPMISTAttest.TPM_ST_ATTEST_CERTIFY) {
            throw new BadAttestationStatementException("type must be TPM_ST_ATTEST_CERTIFY");
        }

        /// Verify that extraData is set to the hash of attToBeSigned using the hash algorithm employed in "alg".
        COSEAlgorithmIdentifier alg = attestationStatement.getAlg();
        String messageDigestJcaName = getMessageDigestJcaName(alg);
        byte[] hash = MessageDigestUtil.createMessageDigest(messageDigestJcaName).digest(attToBeSigned);
        if (!Arrays.equals(certInfo.getExtraData(), hash)) {
            throw new BadAttestationStatementException("extraData must be equals to the hash of attToBeSigned");
        }

        /// Verify that attested contains a TPMS_CERTIFY_INFO structure as specified in [TPMv2-Part2] section 10.12.3,
        /// whose name field contains a valid Name for pubArea, as computed using the algorithm in the nameAlg field of
        /// pubArea using the procedure specified in [TPMv2-Part1] section 16.
        TPMSCertifyInfo certifyInfo = (TPMSCertifyInfo) certInfo.getAttested();
        TPMIAlgHash hashAlg = certifyInfo.getName().getHashAlg();
        String algJcaName;
        algJcaName = getAlgJcaName(hashAlg);

        byte[] pubAreaDigest = MessageDigestUtil.createMessageDigest(algJcaName).digest(pubArea.getBytes());
        if (!Arrays.equals(pubAreaDigest, certifyInfo.getName().getDigest())) {
            throw new BadAttestationStatementException("hash of `attested` doesn't match with name field of certifyInfo");
        }

        /// Note that the remaining fields in the "Standard Attestation Structure" [TPMv2-Part1] section 31.2,
        /// i.e., qualifiedSigner, clockInfo and firmwareVersion are ignored. These fields MAY be used as an input to risk engines.

        /// If x5c is present, this indicates that the attestation type is not ECDAA. In this case:
        if (attestationStatement.getX5c() != null) {
            validateX5c(attestationStatement, certInfo, authenticatorData);
            /// If successful, return implementation-specific values representing attestation type AttCA and attestation trust path x5c.
            return AttestationType.ATT_CA;
        }
        throw new BadAttestationStatementException("`x5c` or `ecdaaKeyId` must be present.");
    }

    private String getMessageDigestJcaName(COSEAlgorithmIdentifier alg) {
        String messageDigestJcaName;
        try {
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.create(alg);
            messageDigestJcaName = signatureAlgorithm.getMessageDigestJcaName();
        } catch (IllegalArgumentException e) {
            throw new BadAttestationStatementException("alg is not signature algorithm", e);
        }
        return messageDigestJcaName;
    }

    private void validateX5c(TPMAttestationStatement attestationStatement, TPMSAttest certInfo, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
        X509Certificate aikCert = attestationStatement.getX5c().getEndEntityAttestationCertificate().getCertificate();

        /// Verify the sig is a valid signature over certInfo using the attestation public key in aikCert with the algorithm specified in alg.
        String jcaName = getJcaName(attestationStatement.getAlg());
        Signature certInfoSignature = SignatureUtil.createSignature(jcaName);
        try {
            certInfoSignature.initVerify(aikCert.getPublicKey());
            certInfoSignature.update(certInfo.getBytes());
            if (!certInfoSignature.verify(attestationStatement.getSig())) {
                throw new BadAttestationStatementException("hash of certInfo doesn't match with sig.");
            }
        } catch (SignatureException | InvalidKeyException e) {
            throw new BadAttestationStatementException("Failed to validate the signature.", e);
        }

        /// Verify that aikCert meets the requirements in §8.3.1 TPM Attestation Statement Certificate Requirements.
        validateAikCert(aikCert);

        /// If aikCert contains an extension with OID 1 3 6 1 4 1 45724 1 1 4 (id-fido-gen-ce-aaguid) verify that the value of this extension matches the aaguid in authenticatorData.
        byte[] aaguidBytes = aikCert.getExtensionValue(ID_FIDO_GEN_CE_AAGUID);
        if (aaguidBytes != null && !Objects.equals(new AAGUID(aaguidBytes), authenticatorData.getAttestedCredentialData().getAaguid())) {
            throw new BadAttestationStatementException("AAGUID in aikCert doesn't match with that in authenticatorData");
        }
    }

    String getAlgJcaName(TPMIAlgHash alg) {
        String algJcaName;
        switch (alg) {
            case TPM_ALG_SHA1:
                algJcaName = "SHA-1";
                break;
            case TPM_ALG_SHA256:
                algJcaName = "SHA-256";
                break;
            case TPM_ALG_SHA384:
                algJcaName = "SHA-384";
                break;
            case TPM_ALG_SHA512:
                algJcaName = "SHA-512";
                break;
            default:
                throw new BadAttestationStatementException("nameAlg '" + alg.name() + "' is not supported.");
        }
        return algJcaName;
    }

    public TPMDevicePropertyValidator getTpmDevicePropertyValidator() {
        return tpmDevicePropertyValidator;
    }

    public void setTpmDevicePropertyValidator(TPMDevicePropertyValidator tpmDevicePropertyValidator) {
        this.tpmDevicePropertyValidator = tpmDevicePropertyValidator;
    }

    private void validatePublicKeyEquality(TPMTPublic pubArea, AuthenticatorData<RegistrationExtensionAuthenticatorOutput<?>> authenticatorData) {
        PublicKey publicKeyInAuthData =
                authenticatorData.getAttestedCredentialData().getCOSEKey().getPublicKey();
        TPMUPublicId publicKeyInPubArea = pubArea.getUnique();

        if (pubArea.getType() == TPMIAlgPublic.TPM_ALG_RSA && publicKeyInPubArea instanceof RSAUnique) {
            RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKeyInAuthData;
            TPMSRSAParms parms = (TPMSRSAParms) pubArea.getParameters();
            RSAUnique rsaUnique = (RSAUnique) publicKeyInPubArea;
            long exponent = UnsignedNumberUtil.getUnsignedInt(parms.getExponent());
            if (exponent == 0) {
                exponent = 65537; // 2^16 + 1
            }
            if (rsaPublicKey.getModulus().equals(new BigInteger(1, rsaUnique.getN())) &&
                    rsaPublicKey.getPublicExponent().equals(BigInteger.valueOf(exponent))) {
                return;
            }
        } else if (pubArea.getType() == TPMIAlgPublic.TPM_ALG_ECDSA && publicKeyInPubArea instanceof ECCUnique) {
            ECPublicKey ecPublicKey = (ECPublicKey) publicKeyInAuthData;
            TPMSECCParms parms = (TPMSECCParms) pubArea.getParameters();
            EllipticCurve curveInParms = parms.getCurveId().getEllipticCurve();
            ECCUnique eccUnique = (ECCUnique) publicKeyInPubArea;
            if (ecPublicKey.getParams().getCurve().equals(curveInParms) &&
                    ecPublicKey.getW().getAffineX().equals(new BigInteger(1, eccUnique.getX())) &&
                    ecPublicKey.getW().getAffineY().equals(new BigInteger(1, eccUnique.getY()))) {
                return;
            }
        }
        throw new BadAttestationStatementException("publicKey in authData and publicKey in unique pubArea doesn't match");
    }


    void validateAikCert(X509Certificate certificate) {
        try {
            /// TPM attestation certificate MUST have the following fields/extensions:
            /// Version MUST be set to 3.
            if (!Objects.equals(certificate.getVersion(), 3)) {
                throw new BadAttestationStatementException("x5c must be version 3.");
            }
            /// Subject field MUST be set to empty.
            if (!certificate.getSubjectDN().getName().isEmpty()) {
                throw new BadAttestationStatementException("x5c subject field MUST be set to empty");
            }
            /// The Subject Alternative Name extension MUST be set as defined in [TPMv2-EK-Profile] section 3.2.9.
            validateSubjectAlternativeName(certificate);
            /// The Extended Key Usage extension MUST contain the "joint-iso-itu-t(2) internationalorganizations(23) 133 tcg-kp(8) tcg-kp-AIKCertificate(3)" OID.
            if (certificate.getExtendedKeyUsage() == null || !certificate.getExtendedKeyUsage().contains("2.23.133.8.3")) {
                throw new BadAttestationStatementException("Attestation certificate doesn't contain tcg-kp-AIKCertificate (2.23.133.8.3) OID");
            }
            /// The Basic Constraints extension MUST have the CA component set to false.
            if (certificate.getBasicConstraints() != -1) {
                throw new BadAttestationStatementException("The Basic Constraints extension of attestation certificate must have the CA component set to false");
            }
            /// An Authority Information Access (AIA) extension with entry id-ad-ocsp and a CRL Distribution Point
            /// extension [RFC5280] are both OPTIONAL as the status of many attestation certificates is available
            /// through metadata services. See, for example, the FIDO Metadata Service  [FIDOMetadataService].

        } catch (CertificateParsingException e) {
            throw new BadAttestationStatementException("Failed to parse attestation certificate", e);
        }
    }

    private void validateSubjectAlternativeName(X509Certificate certificate) throws CertificateParsingException {
        try {
            for (List<?> entry : certificate.getSubjectAlternativeNames()) {
                if (entry.get(0).equals(4)) {
                    X500Name directoryName = new X500Name((String) entry.get(1));
                    TPMDeviceProperty tpmDeviceProperty = parseTPMDeviceProperty(directoryName);
                    tpmDevicePropertyValidator.validate(tpmDeviceProperty);
                    return;
                }
            }
        } catch (IOException | RuntimeException e) {
            throw new BadAttestationStatementException("The Subject Alternative Name extension of attestation certificate does not contain a TPM device property", e);
        }
        throw new BadAttestationStatementException("The Subject Alternative Name extension of attestation certificate does not contain a TPM device property");
    }

    TPMDeviceProperty parseTPMDeviceProperty(X500Name directoryName) throws IOException {
        Map<String, String> map = directoryName.stream().flatMap(attributes -> attributes.entrySet().stream()).collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));

        String manufacturerAttr = map.get("2.23.133.2.1");
        String partNumberAttr = map.get("2.23.133.2.2");
        String firmwareVersionAttr = map.get("2.23.133.2.3");

        String manufacturer = decodeAttr(manufacturerAttr);
        String partNumber = decodeAttr(partNumberAttr);
        String firmwareVersion = decodeAttr(firmwareVersionAttr);

        return new TPMDeviceProperty(manufacturer, partNumber, firmwareVersion);
    }

    private String decodeAttr(String attr) throws IOException {
        String value = null;
        if (attr != null) {
            byte[] bytes = HexUtil.hex2bytes(attr.substring(1));
            Asn1Utf8String attrAsn1Utf8String = new Asn1Utf8String();
            attrAsn1Utf8String.decode(bytes);
            value = attrAsn1Utf8String.getValue();
        }
        return value;
    }


    private byte[] getAttToBeSigned(RegistrationObject registrationObject) {
        MessageDigest messageDigest = MessageDigestUtil.createSHA256();
        byte[] authenticatorData = registrationObject.getAuthenticatorDataBytes();
        byte[] clientDataHash = messageDigest.digest(registrationObject.getCollectedClientDataBytes());
        return ByteBuffer.allocate(authenticatorData.length + clientDataHash.length).put(authenticatorData).put(clientDataHash).array();
    }

}